Interview with Marc Wise, Director of Privacy Office at Wal-Mart, Inc.
Enterprise Risk Management is no longer a division unto itself. ERM programs are now aiming to infiltrate every division within the company so that Risk Management is more than an idea, it’s given throughout the entire enterprise that is practiced as innately as breathing. Building plans that include pre-identified, vetted, and contracted service providers to immediately assist when a breach occurs is cruicial to a successful ERM strategy.
Marc Wise, Director of Privacy Office at Wal-Mart, Inc., recently spoke with marcus evans about topics to be discussed at the upcoming ERM Evolution 2016 Conference:
How would you engage in corporate communications and crisis management teams, in order to pre-plan accordingly to an event?
MW: Corporate Communications and Crisis Management teams have existed since before the first data breach ever occurred. Teams with expertise in these subject areas understand the pressure that comes with an emergent situation at a company. Whether that situation is a hurricane, earthquake, product recall, or any of dozens of other issues, these teams have experience in the trenches that is invaluable to a breach response program. We must engage corporate communications and crisis management early and throughout the lifecycle of a breach program. Many of the strategies and communication needs can often be found in existing plans and templates that have been created to manage other critical events for the organization.
What are the best ways to manage an incident effectively under the best legal privilege framework?
MW: All breach responses need to come under the direction of legal counsel from the very beginning. Legal counsel needs to be engaged to direct the response and provide legal advice to the company they represent. This is important so that information that is gathered can be completely investigated to fully and transparently understand what occurred during the incident and just as importantly to understand what did not occur during an incident. Time has to be spent separating what is speculation from what is fact and legal counsel is critical to that task and ensuring the right questions are asked and answered.
How would you start building plans that include pre-identified, vetted, and contracted service providers, in order to immediately assist when a breach occurs?
MW: As with any other contract for services, the process should start with a well thought out Request for Information (RFI) or Request for Proposal (RFP). Building an RFI/RFP gives the response team an opportunity to holistically gather all of the aspects that they might need assistance with during a response. Services tend to fall into certain categories such as Legal, Forensic Investigation, Customer Protection/Risk Remediation Services, Mail/Email Operations, and Call Center Support. There are few, if any, vendor organizations that will be able to cover all of these categories, so the RFI/RFP process likely needs to be segmented. A response team member who has day-to-day responsibilities in these category areas should be assigned as a leader for both RFI/RFP development and RFI/RFP response review in their subject matter areas.
What are the most effective ways to brief executives and board members on response preparations?
MW: Companies should seek out what works best for briefing executives in their own organizations. This is an area where the crisis management organization of a company can lend support. The best results are attained when leaders that are going to be on the receiving end of briefings and communications when a breach does occur are able to be together to discuss the response process. In most cases these leaders are not going to be in the same place when an incident occurs, so building trust, and understanding what is important from each member of the leadership team needs to be intentional and part of any successful breach response program. A short scripted scenario that gets the leadership team thinking about a breach and what it could mean to the company followed by opportunities to discuss what areas have what roles and how the leaders will receive communication are important. It is critical to understand what area has responsibility for managing the breach and that they understand how they will interface with the key ultimate decision makers on the leadership team. In my experience, it is extremely important that leaders have a response team that speaks with a consensus voice of all of the key teams working together on the response. Mixed messages from the perspective of different team members often lead to confusion and sometimes lead to bad decisions on the part of leaders who act without having all of the facts or the perspective of all of the various teams. As with the investigation of the breach itself, these communications must be done at the direction of legal counsel.
Overall, what is the biggest take away from this conference?
MW: The biggest takeaway is that breaches are inevitable and require time to plan just as we would plan for any new business venture. Whether we are planning for a disruption like a weather disaster or the launch of a new product or service, we are only successful if we have a good plan and everyone knows the role they play in executing the plan. Breaches will all have different fact patterns and nuances, but they all have a fairly consistent flow from discover to investigation to response/remediation to communication to response assessment/plan update. Most of the security experts I speak to say it is not “if” a breach will occur it is “when”. While we do all we can to prevent the incidents, we must be fully capable to respond when a breach does occur. While there is fatigue among customers who see breach headlines with regularity, adequate planning can be the difference in the response that can lead to reestablishing trust with customers who have been impacted by a breach.
Marc Wise has been a Director in the Privacy Office of Wal-Mart Stores, Inc. since 2011. He directs privacy compliance across US Operations including Walmart Stores, Sam’s Club, and Walmart.com. In this role, Marc is responsible for privacy risk assessments and compliance assessments across US Operations. He leads the corporate suspected breach readiness and response program. He oversees the integration of privacy by design programs with the information technology division and US operations projects. Marc also participates with industry and trade groups on privacy and breach incident policy related matters. Over his 25 year career, he has worked across several industries including retail, banking, insurance, brokerage, and consulting. Marc is a Certified Information Systems Auditor (CISA), a Certified Information Privacy Technologist (CIPT), and a Certified Information Privacy Professional – US (CIPP-US).